[this_steve_j]

There are four different micro-segmentation variations in the NIST reference guide: device-agent/gateway, enclaves, resource portals, and application sandboxing.

Basically a policy evaluation point (PEP) evaluates the security posture of both parties before and after a handshake, then creates a logical or physical path of some kind of between the actor and the resource. This can be done with software-defined virtual networks and stateful firewalls, at one or more of the OSI layers.

[ptsneves]

So the policy evaluation point has the keys to the kingdom and is the single point of failure, vs standard distributed authorisation declaration that would be up to each component of the system to implement.

How is this PEP better?